EDR: CBLR commands cause .tmp files to consume endpoint's disk
search cancel

EDR: CBLR commands cause .tmp files to consume endpoint's disk


Article ID: 289832


Updated On:


Carbon Black EDR (formerly Cb Response)


  • A .tmp file in C:\Windows\CarbonBlack continues to grow to several GB in size
  • A process executed from Live Response via execfg is running in the background


  • EDR Server: All Versions (Formerly CB Response)
  • EDR Sensor: All Versions
  • Microsoft Windows: All Supported Versions


The command is requesting user input which is constantly printed to the .tmp file - CB-27472


Stop the process
  1. From CBLR find the process' PID in the process list
  1. Use the PID to kill the process
kill PID​​​

Additional Information

  • Sensor services may need to be restarted if the session for the endpoint is still active. This will be obvious if an error is logged when any new commands are run
    • Error: NOT FOUND - Session 4 currently processing command 7
  • execfg should not be used for commands requiring user input
  • Commands should be tested on a subset of systems before running against large deployments
  • Flags such as /y to skip prompts can also be used to work around the issue